/it's possible to provide security without f*cking over the entire user base//95% of IT "professionals" don't understand how to do this

All that means is there is only 5% of IT professionals who aren't sick of your sh*t yet. Network administration on any level from ISPs on down is a balancing act of delivering service while limiting customers' ability to shoot themselves in the foot.

How does traffic between virtual hosts that doesn't leave the virtualization server constitute a "hole" in the perimeter? Not all internal traffic needs to route through a gatekeeper, for the sake of all that is holy.

It started with SOAP. RPC over http was invented to get past the grouchy network admins who refused to allow DCOM or CORBA messages through the firewall. Port 80 was allowed, so port 80 is what we used. No more requests to IT to open up a port.

Then the Cloud, so that managers were free to expense their IT costs directly on their expense reports, rather than going down the months-long road of consuming the "services" of provisioning, sizing, installing and deploying hardware, only to have to do it all over again when needs changed. IT couldn't figure out how to streamline this process and do it accurately, so now we use the Cloud to automate away all the guesswork and get things done.

Next: BYOD. Hot on the heels of Bring Your Own Phone, people interested in getting things done began to bring their home machines into work so they could have something reliable and productive to use. Once again, IT presented itself as an obstacle, and they were overcome like an obstacle.

Now enterprise IT is so dependent on the productivity offered by these paradigms, they couldn't cope with things the way they were. Enterprise IT will be automated away, piece by piece, until the only ones left are happy, friendly, competent and eager to guide users through difficult and novel problems. If I were in IT, I would stop asking why my customers want to do something and argue with them over whether it's a good idea, and start helping them achieve their goals. Otherwise they'll turn to Amazon, Microsoft, Apple or some other organization to get the services they need.

Anybody who thinks a firewall and a router are the same thing has never worked on either of those two types of gear that are of a respectable scale.

Sure, you can take a router and put some ACL's on it, but that's not even a percentage of what an actual firewall does.

I mean, you bought a 4 port Linksys router/switch. That's JUST like working on a Cisco 6513 or a Juniper 8126, right?

Most days, I REALLY wish network engineering required a state license. You have to get a license to push the cuticles back on people's toe nails, but any random buttfarker can legally work on mission critical systems like the cell phone network.

symbolset:Firewalls are straight BS. The only reason for a hardware firewall is because your hosts are accepting untrusted connections in the first place when they should not, and not validating their inputs - which means you fail IT. The network is not trusted. One compromised host inside your firewall and you're PWN3D.

For an added bonus, hardware firewalls are hosts and can be compromised too.

ProfessorOhki:BumpInTheNight: All fine and dandy until one of them unloads a rootkit onto the VM they're sitting on that burrows into the hypervisor and sets up shop.

Sure, that's a risk. But if a piece of malware can get through the OS on a VM IT created and maintains, then break out of the virtualization environment (which is current and patched) and THEN install itself into machine running the hypervisor (which is current and patched)...

I can't help but think you wouldn't have had much better luck with company-mandated workstations in the same situation. Because at part one of "rootkit" it would have compromised any given machine in your network and happily spread itself to all the others. Which is more trustworthy? Your network gear at catching infections as they travel the LAN, or a hypervisor at maintaining isolation? I honestly don't know; I'm not an IT guy.

I'd put more weight on the network gear, because it's just a bit harder to hack into, IIRC. Of course, both scenarios assume there's someone paying attention well enough to actually catch the damn thing...

BumpInTheNight:All fine and dandy until one of them unloads a rootkit onto the VM they're sitting on that burrows into the hypervisor and sets up shop.

Sure, that's a risk. But if a piece of malware can get through the OS on a VM IT created and maintains, then break out of the virtualization environment (which is current and patched) and THEN install itself into machine running the hypervisor (which is current and patched)...

I can't help but think you wouldn't have had much better luck with company-mandated workstations in the same situation. Because at part one of "rootkit" it would have compromised any given machine in your network and happily spread itself to all the others. Which is more trustworthy? Your network gear at catching infections as they travel the LAN, or a hypervisor at maintaining isolation? I honestly don't know; I'm not an IT guy.

socodog:BYOD sounds great in a perfect world, but all of those devices have to be patched, managed, secured, etc. So what happens if you're a developer at Widget corp and your machine is comprimised because it's YOUR machine and is thusly not set up securely? IP gets sucked away. Corporate secrets get stolen and worse. Also, are you going to pay to train your IT drones to service EVERY SINGLE piece of gear that comes in? They generally don't have time to dick around with every type of hardware out there to learn it enough to properly support you. When you or your kid or whatever fark up that shiny new tablet you picked up at Microcenter, you're not going to take it to them to have it worked on. Or worse, you just might.

Well, you could use a VPN with a client checks for appropriate AV, patch versions, etc before building up the tunnel. Then they remote into a machine that's actually a VM sitting with a few hundred others in a closet somewhere. IT only has to administer the server, you get all the bonuses of virtualization, a large chunk of your network is reduced to a few machines, and the end user gets the same experience at home or in the office. Hell, then firewall all traffic that's not the appropriate remote desktop client and you don't really even need to worry that much about rogue apps on the user's machine poking around your network. If the user's device is stolen or broken, you're out nothing and hardware upgrades aren't your problem anymore. Not to mention you can make regular backups of every single user's machine w/o co-mingling their work and personal files.

Am I missing some reason why that's not a good idea? I mean other than "they still ask for help when they can't get the VPN app installed." Alright, I'll give you the "can't do work at locations with bad/non-existent connectivity," but I'm sure there's some sort of local checkout/merge mechanism for those fancy VMs, right?

Sorry you've had bad experiences with IT. I got out of that end of shiat a LOOOONG time ago for the reasons you listed above.

I don't deal with end users anymore and it's great. I just simply don't care to remove the farked up spyware your 10 year old installed on your company owned laptop YET AGAIN.

BYOD sounds great in a perfect world, but all of those devices have to be patched, managed, secured, etc. So what happens if you're a developer at Widget corp and your machine is comprimised because it's YOUR machine and is thusly not set up securely? IP gets sucked away. Corporate secrets get stolen and worse. Also, are you going to pay to train your IT drones to service EVERY SINGLE piece of gear that comes in? They generally don't have time to dick around with every type of hardware out there to learn it enough to properly support you. When you or your kid or whatever fark up that shiny new tablet you picked up at Microcenter, you're not going to take it to them to have it worked on. Or worse, you just might.

No. Just go through the proper channels and do it right. If your request is actually valid, businesswise, your manager should have no issue getting it pushed through.

What do I know, though? I've only been at this about 21 years. Funny, how regardless of how much House MD you've watched you don't try to tell an ER doctor how to do his job. You've seen Home Improvement but are you trying to tell the electrician that comes to fix stuff at your house how to do his job?

I said it above, but as an IT worker I know other people in other fields have skill sets I don't, and I never will. I respect the knowledge and skills people have in other professions. But I'm not asking them to hack their registry to solve their problem. When I'm remoted into their machine and tell them to choose a password with 7 or 8 characters only, no more, no less, and I directly emphasize this then watch as they type out a 15 character password monstrosity this isn't me asking them to hax0r teh gibson, it's me asking them to understand the concept of counting to 8. Yeah, you're an ER doctor or the best electrician on Earth. That's great. Apparently simple counting just escaped you though, so fark you.

Sorry you've had bad experiences with IT. I got out of that end of shiat a LOOOONG time ago for the reasons you listed above.

I don't deal with end users anymore and it's great. I just simply don't care to remove the farked up spyware your 10 year old installed on your company owned laptop YET AGAIN.

BYOD sounds great in a perfect world, but all of those devices have to be patched, managed, secured, etc. So what happens if you're a developer at Widget corp and your machine is comprimised because it's YOUR machine and is thusly not set up securely? IP gets sucked away. Corporate secrets get stolen and worse. Also, are you going to pay to train your IT drones to service EVERY SINGLE piece of gear that comes in? They generally don't have time to dick around with every type of hardware out there to learn it enough to properly support you. When you or your kid or whatever fark up that shiny new tablet you picked up at Microcenter, you're not going to take it to them to have it worked on. Or worse, you just might.

No. Just go through the proper channels and do it right. If your request is actually valid, businesswise, your manager should have no issue getting it pushed through.

What do I know, though? I've only been at this about 21 years. Funny, how regardless of how much House MD you've watched you don't try to tell an ER doctor how to do his job. You've seen Home Improvement but are you trying to tell the electrician that comes to fix stuff at your house how to do his job?

And PLEASE don't get me started on BYOD. That's the most farked up plan I've ever heard of.

ALL gear that connects to the network needs to be owned by the organization.

I don't give a shiat what cool thing you read about in the magazine on the airplane. Write a valid business reason why you need it. Get it pushed through IT for security and viability testing. Follow up with your boss to get him to write a PO, and have the purchasing group buy the GD thing.

socodog:Being old school and really deep in large scale networking still, I have to come out squarely AGAINST cloud initiative.

Cisco is trying to cram it down everybody's throat because it's going to take quite a bit of hardware upgrades to make it worth a shiat.

At the end of they day, though, you're taking the keys to your kingdom, all your eggs, the baby, the bathwater, and your girlfriend's diaphragm and putting it in a box to send down the road to a 3rd party. You have an SLA with them and that's all cool, but an SLA won't stop things like an a-hole with a digger cutting the fiber to their facility or yours. An SLA won't stop rogue administrators from digging around unbeknownst to you. An SLA won't get all of your mission critical data back to your widget makers so you can keep making that all important cash.

Spot on.

And good luck getting a Google or an Amazon to sign an agreement that they will be responsible for the security of your data. An SLA is one thing...but something that gets through an FFIEC visit? Not a chance.

Banks, hospitals, etc...anyone with any responsibility in protecting other people's information will be taking a nose dive off a high cliff into a shallow river when they move their stuff out to "The Cloud".

Being old school and really deep in large scale networking still, I have to come out squarely AGAINST cloud initiative.

Cisco is trying to cram it down everybody's throat because it's going to take quite a bit of hardware upgrades to make it worth a shiat.

At the end of they day, though, you're taking the keys to your kingdom, all your eggs, the baby, the bathwater, and your girlfriend's diaphragm and putting it in a box to send down the road to a 3rd party. You have an SLA with them and that's all cool, but an SLA won't stop things like an a-hole with a digger cutting the fiber to their facility or yours. An SLA won't stop rogue administrators from digging around unbeknownst to you. An SLA won't get all of your mission critical data back to your widget makers so you can keep making that all important cash.

Brother, I just spent 2 hours trying to explain to a guy that a T1 cross over cable is not an Ethernet cross over cable. And he was the Director of IT for a multi-million dollar company. First round is on me.

ProfessorOhki:"Yesterday, I saw a guy trying to air up his own tires! Ahaha, can you believe it? He wasn't even an expert!"

Let's put a real world spin on your example. The next 75 people try to put in air in their tires through by blowing it up the tail pipe. And when you tried to help them half of them go "But it looked so easy" and the other half replied "I know about computers and stuff I own an iPad". And 100% of them are belligerent in their ignorance and will be damned to hell before they'll actually admit to you what they were trying to do.

Want to get pleasant, helpful answers out of a NOC tech do the following:-Explain what you were trying to do.-Explain what you expected to happen.-Explain what actually happened.

Do that every time and you'll get an honest answer and more times than not a solution within 5 to 10 minutes. Lie in anyway and it just adds time and frustration to the troubleshooting.

Um, doesn't that magic box on my desk with the password and the antenna on it act as a firewall? I'm pretty sure it manages incoming connections and doesn't let just any strange traffic stick its unsolicited dirty dick into my computer.

pudding7:ZAZ: I remember way back when we didn't have firewalls. NAT hadn't been invented because addresses were abundant and free for the taking. The box on my desk was visible to the world.

At my office, I just give all our servers and desktops a public IP and skip the whole internal/external network thing. It's easier for everyone. I also just gave everyone Admin rights to their own systems. Talk about a time saver for my desktop support guys. Now the users can install anything they want. Just skip the middleman, you know?

Not only is it a time saver it'll save tons of money because if every one has admin rights on their machines we won't even need a support staff!

pudding7:ZAZ: I remember way back when we didn't have firewalls. NAT hadn't been invented because addresses were abundant and free for the taking. The box on my desk was visible to the world.

At my office, I just give all our servers and desktops a public IP and skip the whole internal/external network thing. It's easier for everyone. I also just gave everyone Admin rights to their own systems. Talk about a time saver for my desktop support guys. Now the users can install anything they want. Just skip the middleman, you know?

You joke, but at my old job we had a corporate requirement to run this proprietary program. The program is an absolute piece of shiat that REQUIRES users to have local admin privileges to run.

My boss understood why this was an absolute travesty, but unfortunately we just don't have a choice.

Virtual servers connected to a virtual network run inside this virtual environment. All of this is connected to the traditional physical infrastructure. It can be challenging to manage the traffic between the virtual environment and the physical environment, but the real difficulty is that some of this traffic never leaves the virtual environment, which creates a hole in the network perimeter.